configuring PIX 515 for smtp

shoebwk · ‎06-11-2004

i have made this config from the cisco website. will this config work for me, so that my exchange smtp traffic comes and goes thru this pix.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxxxxx

passwd xxxxx

hostname SanQuentin

domain-name noplace.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 ras 1718-1719

fixup protocol h323 h225 1720

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no names

access-list smtp permit tcp any host 209.x.x.5 eq smtp

!

pager lines 24

logging on

logging timestamp

no logging standby

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap debugging

no logging history

logging facility 23

logging queue 512

interface ethernet0 auto

interface ethernet1 auto

interface ethernet 2 auto

!

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address inside 192.168.1.1 255.255.255.252

ip address outside 209.x.x.1 255.255.255.252

ip address dmz 172.16.128.1 255.255.255.0

no failover

!

arp timeout 14400

static (dmz,outside) 209.x.x.5 172.16.128.103 netmask 255.255.255.255

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-group smtp in interface outside

route outside 0.0.0.0 0.0.0.0 209.x.x.2 1

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

terminal width 80

Cryptochecksum:xxxxx

: end

i have a serial router 2611XM. which will connect to the internet. i want to know what ip addresses would be for the serial and ethernet port to which pix will be connected.?

pcomeaux · ‎06-12-2004

Let's review what's in your config:

1) Understand Security Level Relationships between interfaces - Done

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

2) Enable the interfaces - Done

interface ethernet0 auto

interface ethernet1 auto

interface ethernet 2 auto

3) Address the Interfaces - Done

ip address inside 192.168.1.1 255.255.255.252

ip address outside 209.x.x.1 255.255.255.252

ip address dmz 172.16.128.1 255.255.255.0

4) Establish Routing - default routes and routes in inside networks - done for outside

route outside 0.0.0.0 0.0.0.0 209.x.x.2 1

5) Create translations from for traffic from Inside to Outside (Higher to Lower) - MISSING

Here's an example if you want to translate all inside IPs to the interface IP of the outside interface (PAT all addresses):

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

No ACL is require for this traffic flow from the Inside to the Outside since the traffic is from a higher to a lower interface. Same is true for traffic from the Inside to the Dmz and for traffic from the Dmz to the Outside.

6) Create translations from for traffic from Inside to Dmz (Higher to Lower) - Done

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

7) Create translations from for traffic from Outside to Dmz (Lower to Higher) - Done

static (dmz,outside) 209.x.x.5 172.16.128.103 netmask 255.255.255.255

An ACL to permit the inbound traffic to the SMTP server, so that's what we will check next.

8) Create ACL for traffic from Outside to Dmz (Lower to Higher) - Done

access-list smtp permit tcp any host 209.x.x.5 eq smtp

9) Apply ACL to outside interface for traffic from outside (Lower to Higher) - Done

access-group smtp in interface outside

So at this point with your config, it looks like mail could come into the SMTP server in the Dmz and users on the Inside can access the Mail server. However, the Inside hosts cannot access anything on the Outside (i.e. Internet) since the translation is missing (see Step 5).

Give this a try and let us know how it is working.

thanks!

peter

shoebwk · ‎06-12-2004

this was the best explained answer for me in this post. Thanks a lot.

can i put the DMZ on the same network, 192.168.1.0 so that my exchange server will be on the local lan. OR otherwise if my exchange is 172.16.128.1 how the client outlook will get connected to the exchange server, since clients are on 192.168.1.0 network and exchange is on different network OR the client will get connected to exchange since the gateway is the PIX internal IP.? please explain me.

secondly can you post me a example config for the router connecting to internet.

For serial connection will it be

interface serial0

ip address unnumbered E0

or

interface serial0

ip address negotiated

thanks

shoeb

pcomeaux · ‎06-13-2004

Ideally, you would have a SMTP server acting as an inbound/outbound mail relay in the DMZ, while the Exchange server is on the inside (local lan).

If you cannot do this, the Exchange server should be on the local lan for best performance for your lan users. Beaware of the risk of this - if the Exchange server is comprimised over SMTP (the only port you open this server up on) then the attacker has access to all of the LAN.

So, if the exchange server is on the LAN, then the users would point to the internal IP of the exchange server. Your MX recored would point to the Outside IP address that is configured on the Pix. Your static statement on the Pix would be for the inside and outside addresses (no dmz config at all).

If you decide to place the SMTP relay on the DMZ and the Exchange server on the inside, then the MX record is still the outside. The users use the interal Exchange server for their mail.

In any case, I would advise to add an ACL on the Pix's inside interface to deny ALL outbound SMTP except for the SMTP from the Exchange server outbound to either all destinations (if no dmz smtp relay) or just to the DMZ Smtp relay.

Please let us know how it goes.

thanks

peter

shoebwk · ‎06-14-2004

hi peter,

i am very new to this exchange setup with Pix.

i couldnot understand about smtp relay in DMZ and exchange on local lan. Do you mean that i have to put two servers or a single server with two NIC card. I am confused. can you post me an example about this.

thanks

pcomeaux · ‎06-15-2004

Sorry about any confusion.

Let's start simple. The exchange server can be the mail server for all internal clients and all external e-mail is delivered directly to it.

Here's some configuration examples of where to place the exchange server.

Configuring the PIX Firewall with Mail Server Access on DMZ Network

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

Configuring the PIX Firewall with Mail Server Access on Inside Network

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

Both of the above scenarios require a single server.

Some customers prefer the following, a SMTP relay server on the DMZ (usually filters Virus/Spam) and a 2nd server on the inside, which is the exchange server.

Here's a nice example with pros and cons on this scenario:

Using Mail Relays to Enhance Exchange Security

http://www.msexchange.org/tutorials/Mail_Relays_Enhance_Exchange_Security.html

Please let me know what follow up question you have.

peter

shoebwk · ‎06-15-2004

Ok I have decided to put the Exchange server in DMZ with the IP 172.X.X.X range. I have 2 doubts.

First which command in the PIX configuration above will allow the users in 192.168.X.X network to access the Exchange server in DMZ.

Secondly if i decide to put a mail relay like mail sweeper in DMZ, then MX should point the Mail relay IP.? and where the outside user will connect, to mail relay server or exchange server.

any changes required in the config

pcomeaux · ‎06-17-2004

Ok - sounds good.

1st question - 2 things are required for traffic flow between interfaces - a) ACL b) translation

Since the traffic flow in this case is from the Inside (Security Level 100) to the DMZ (Security Level 50), no ACL is required. The Pix implicitely permits this by default when no ACL is applied to the inside interface.

The translations between the Inside and the DMZ is already setup by one of several methods. In this case, you have: static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0.

2nd question - MX record should point to the public address of the STMP relay server. Incoming mail from anyone on the internet would be delivered to the STMP relay server. If your users wanted Outlook Web Access from the outside, you would connect those users to a different server. That server would be either the exchange server, or an OWA front end server that would reside in the DMZ. I am sure Microsoft has some papers on their website for how to setup an OWA front end server that sits in the DMZ while the exchange server resides internal to the network. I am pretty sure the STMP relay server and the OWA front-end could be on the same DMZ server.

Please let us know any follow on questions you may have.

thanks

peter

shoebwk · ‎06-18-2004

i will implement this config next week.

In the forum i have read that sometime we need to disable mail gaurd i.e. no fixup protocol smtp 25.

why it is done so?

what is mail gaurd ?

what exactly this fixup protocol command do?

regards

shoeb

pcomeaux · ‎06-18-2004

The fixup protocol smtp 25 permits only the RFC compliant smtp commands through the Pix. This is to protect the mail server. When using an exchange server as the smtp gateway, customer's find that they need to turn this fixup off because Microsoft uses ESMTP commands, which are not part of the RFC.

Here's a blurb from the command reference guide for the Pix software:

fixup protocol smtp

The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1, commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are translated into X's which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.

--------------------------------------------------------------------------------

Note During an interactive SMTP session, various SMTP security rules may reject or deadlock your Telnet session. These rules include the following: SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply.

--------------------------------------------------------------------------------

As of PIX Firewall software Version 5.1 and higher, the fixup protocol smtp command changes the characters in the SMTP banner to asterisks except for the "2", "0", "0 " characters. Carriage return (CR) and linefeed (LF) characters are ignored.

In PIX Firewall software Version 4.4, all characters in the SMTP banner are converted to asterisks.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379

Here's a link to a MS Knowledge Database article which gives you their perspective:

http://support.microsoft.com/default.aspx?scid=kb;en-us;320027

Hope this helps,

peter